In an advisory (patch included), the software giant said the security hole exists because an attacker could invoke the ActiveX control from script code, which would allow the attacker to view and manipulate metadata contained in the media library on the susceptible
PC.

The ActiveX feature is included in WMP9 to allow the creation of Web pages that can play media and provide a user interface by which the user can control playback. For instance, when a user visits a Web page with embedded multimedia, the ActiveX control provides a user interface that allows the user to take such actions as pausing or rewinding the content.

Microsoft warned that a successful attacker would have to host a
malicious exploit on a Web page and persuade a user to visit that site. "An attacker could also embed a link to the malicious site in an HTML e-mail and send it to the user. After the user previewed or opened the e-mail, the malicious site could be visited automatically without further user interaction," the company said.

While a successful attack would allow access to the media library on a
vulnerable PC, the flaw does not allows access to the user's hard disk.
"(An attacker) and would not have access to passwords or encrypted data,"
Microsoft noted.

It is not the first time security holes have appeared in the WMP
software. Last June, Microsoft issued a
cumulative patch to fix three flaws in WMP versions 6.4, 7.1 and Windows
XP.

The company also issued a 'critical' alert for a flaw in the way 'skin'
files are downloaded in some versions of WMP. That security hole
affected WMP version 7.1 and WMP for Windows XP version 8.0 and allowed
attackers to "force a file masquerading as a skin file" into a user's
system.